@engjts/nexus 0.1.8 → 0.1.9

package/src/security/auth/JWTProvider.ts

@@ -1,316 +0,0 @@
-/**
- * JWT Provider
- * 
- * Provider untuk JWT authentication yang bisa di-inject via DI system.
- * Mudah digunakan di route handler tanpa perlu setup middleware manual.
- */
-
-import { Context } from '../../core';
-import type { User, JWTConfig } from '../types';
-
-export interface JWTProviderConfig {
-  secret: string;
-  expiresIn?: string | number;  // '1h', '7d', 3600, etc.
-  issuer?: string;
-  audience?: string;
-}
-
-export interface TokenPayload {
-  id: string | number;
-  email?: string;
-  username?: string;
-  roles?: string[];
-  permissions?: string[];
-  [key: string]: any;
-}
-
-export interface VerifyResult {
-  valid: boolean;
-  user: User | null;
-  error?: string;
-  expired?: boolean;
-}
-
-/**
- * JWT Provider Class
- * 
- * @example
- * ```typescript
- * // Setup di app
- * const jwt = new JWTProvider({
- *   secret: process.env.JWT_SECRET!,
- *   expiresIn: '1h'
- * });
- * 
- * const app = createApp().provide({ jwt });
- * 
- * // Gunakan di route
- * app.post('/login', async (ctx, { jwt }) => {
- *   const token = await jwt.sign({ id: user.id, email: user.email });
- *   return { token };
- * });
- * 
- * app.get('/profile', async (ctx, { jwt }) => {
- *   const result = await jwt.verify(ctx);
- *   if (!result.valid) return ctx.response.status(401).json({ error: 'Unauthorized' });
- *   return { user: result.user };
- * });
- * ```
- */
-export class JWTProvider {
-  private config: JWTProviderConfig;
-
-  constructor(config: JWTProviderConfig) {
-    if (!config.secret) {
-      throw new Error('JWT secret is required');
-    }
-    this.config = {
-      expiresIn: '1h',
-      ...config
-    };
-  }
-
-  /**
-   * Generate JWT token dari user/payload
-   */
-  async sign(payload: TokenPayload, options?: Partial<JWTProviderConfig>): Promise<string> {
-    const config = { ...this.config, ...options };
-    
-    const header = { alg: 'HS256', typ: 'JWT' };
-    
-    // Calculate expiry
-    let exp: number;
-    const expiresIn = config.expiresIn || '1h';
-    if (typeof expiresIn === 'number') {
-      exp = Math.floor(Date.now() / 1000) + expiresIn;
-    } else {
-      exp = Math.floor(Date.now() / 1000) + this.parseExpiry(expiresIn);
-    }
-    
-    const tokenPayload = {
-      ...payload,
-      iat: Math.floor(Date.now() / 1000),
-      exp,
-      ...(config.issuer && { iss: config.issuer }),
-      ...(config.audience && { aud: config.audience })
-    };
-    
-    const encodedHeader = this.base64UrlEncode(JSON.stringify(header));
-    const encodedPayload = this.base64UrlEncode(JSON.stringify(tokenPayload));
-    const signature = await this.createSignature(`${encodedHeader}.${encodedPayload}`, config.secret);
-    
-    return `${encodedHeader}.${encodedPayload}.${signature}`;
-  }
-
-  /**
-   * Verify token dari Authorization header atau cookie
-   */
-  async verify(ctx: Context, options?: { cookieName?: string }): Promise<VerifyResult> {
-    const token = this.extractToken(ctx, options?.cookieName);
-    
-    if (!token) {
-      return { valid: false, user: null, error: 'No token provided' };
-    }
-    
-    return this.verifyToken(token);
-  }
-
-  /**
-   * Verify token string langsung
-   */
-  async verifyToken(token: string): Promise<VerifyResult> {
-    try {
-      const parts = token.split('.');
-      if (parts.length !== 3) {
-        return { valid: false, user: null, error: 'Invalid token format' };
-      }
-      
-      const [encodedHeader, encodedPayload, signature] = parts;
-      
-      // Verify signature
-      const expectedSignature = await this.createSignature(
-        `${encodedHeader}.${encodedPayload}`,
-        this.config.secret
-      );
-      
-      if (signature !== expectedSignature) {
-        return { valid: false, user: null, error: 'Invalid signature' };
-      }
-      
-      // Decode payload
-      const payload = JSON.parse(this.base64UrlDecode(encodedPayload));
-      
-      // Check expiry
-      if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
-        return { valid: false, user: null, error: 'Token expired', expired: true };
-      }
-      
-      // Check issuer
-      if (this.config.issuer && payload.iss !== this.config.issuer) {
-        return { valid: false, user: null, error: 'Invalid issuer' };
-      }
-      
-      // Check audience
-      if (this.config.audience && payload.aud !== this.config.audience) {
-        return { valid: false, user: null, error: 'Invalid audience' };
-      }
-      
-      const user: User = {
-        id: payload.id,
-        email: payload.email,
-        username: payload.username,
-        roles: payload.roles || [],
-        permissions: payload.permissions || []
-      };
-      
-      return { valid: true, user };
-      
-    } catch (error) {
-      return { valid: false, user: null, error: 'Token verification failed' };
-    }
-  }
-
-  /**
-   * Decode token tanpa verify (untuk debugging)
-   */
-  decode(token: string): TokenPayload | null {
-    try {
-      const parts = token.split('.');
-      if (parts.length !== 3) return null;
-      
-      const payload = JSON.parse(this.base64UrlDecode(parts[1]));
-      return payload;
-    } catch {
-      return null;
-    }
-  }
-
-  /**
-   * Refresh token (generate token baru dengan expiry baru)
-   */
-  async refresh(token: string, options?: Partial<JWTProviderConfig>): Promise<string | null> {
-    const result = await this.verifyToken(token);
-    
-    if (!result.valid || !result.user) {
-      return null;
-    }
-    
-    // Generate new token with same user data
-    return this.sign({
-      id: result.user.id,
-      email: result.user.email,
-      username: result.user.username,
-      roles: result.user.roles,
-      permissions: result.user.permissions
-    }, options);
-  }
-
-  /**
-   * Create middleware untuk protect route
-   */
-  middleware(options?: { cookieName?: string }) {
-    return async (ctx: Context, next: (ctx: Context) => Promise<any>) => {
-      const result = await this.verify(ctx, options);
-      
-      if (!result.valid) {
-        return ctx.response.status(401).json({
-          error: 'Unauthorized',
-          message: result.error
-        });
-      }
-      
-      // Attach user ke context
-      (ctx as any).user = result.user;
-      
-      return next(ctx);
-    };
-  }
-
-  /**
-   * Check apakah user punya role tertentu
-   */
-  hasRole(user: User, role: string | string[]): boolean {
-    const roles = Array.isArray(role) ? role : [role];
-    return roles.some(r => user.roles?.includes(r));
-  }
-
-  /**
-   * Check apakah user punya permission tertentu
-   */
-  hasPermission(user: User, permission: string | string[]): boolean {
-    const permissions = Array.isArray(permission) ? permission : [permission];
-    return permissions.some(p => user.permissions?.includes(p));
-  }
-
-  // === Private Methods ===
-
-  private extractToken(ctx: Context, cookieName?: string): string | null {
-    // 1. Check Authorization header
-    const authHeader = ctx.headers?.authorization || ctx.headers?.Authorization;
-    if (authHeader) {
-      const header = Array.isArray(authHeader) ? authHeader[0] : authHeader;
-      if (header.startsWith('Bearer ')) {
-        return header.slice(7);
-      }
-    }
-    
-    // 2. Check cookie
-    if (cookieName) {
-      const cookieHeader = ctx.headers?.cookie;
-      if (cookieHeader) {
-        const cookies = Array.isArray(cookieHeader) ? cookieHeader[0] : cookieHeader;
-        const match = cookies.match(new RegExp(`${cookieName}=([^;]+)`));
-        if (match) return match[1];
-      }
-    }
-    
-    // 3. Check query parameter (for websocket atau special cases)
-    if (ctx.query?.token) {
-      return ctx.query.token as string;
-    }
-    
-    return null;
-  }
-
-  private parseExpiry(expiry: string): number {
-    const match = expiry.match(/^(\d+)([smhd])$/);
-    if (!match) return 3600; // default 1h
-    
-    const value = parseInt(match[1]);
-    const unit = match[2];
-    
-    switch (unit) {
-      case 's': return value;
-      case 'm': return value * 60;
-      case 'h': return value * 3600;
-      case 'd': return value * 86400;
-      default: return 3600;
-    }
-  }
-
-  private base64UrlEncode(str: string): string {
-    const base64 = Buffer.from(str).toString('base64');
-    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-  }
-
-  private base64UrlDecode(str: string): string {
-    let base64 = str.replace(/-/g, '+').replace(/_/g, '/');
-    while (base64.length % 4) base64 += '=';
-    return Buffer.from(base64, 'base64').toString('utf-8');
-  }
-
-  private async createSignature(data: string, secret: string): Promise<string> {
-    const crypto = await import('crypto');
-    const hmac = crypto.createHmac('sha256', secret);
-    hmac.update(data);
-    const signature = hmac.digest('base64');
-    return signature.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-  }
-}
-
-/**
- * Factory function untuk create JWTProvider
- */
-export function createJWTProvider(config: JWTProviderConfig): JWTProvider {
-  return new JWTProvider(config);
-}

package/src/security/auth/adapter.ts

@@ -1,12 +0,0 @@
-/**
- * Auth Adapter Exports
- * 
- * Re-exports authentication adapters
- */
-
-export * from '../adapter';
-export { JWTAuthAdapter } from './jwt';
-
-// OAuth and Session adapters will be implemented in future
-// export { OAuthAdapter } from './oauth';
-// export { SessionAdapter } from './session';

package/src/security/auth/jwt.ts

@@ -1,234 +0,0 @@
-/**
- * JWT Authentication Adapter
- * 
- * Implements JWT-based authentication
- */
-
-import type { Context } from '../../core/types';
-import type { User, JWTConfig } from '../types';
-import type { AuthAdapter } from '../adapter';
-
-/**
- * Simple JWT implementation (in production, use a library like jsonwebtoken)
- * This is a basic implementation for demonstration
- */
-export class JWTAuthAdapter implements AuthAdapter<JWTConfig> {
-    /**
-     * Verify JWT token and extract user
-     */
-    async verify(ctx: Context, config: JWTConfig): Promise<User | null> {
-        const token = this.extractToken(ctx, config);
-
-        if (!token) {
-            return null;
-        }
-
-        try {
-            const payload = this.decodeToken(token, config.secret);
-
-            // Check expiration
-            if (payload.exp && payload.exp < Date.now() / 1000) {
-                return null;
-            }
-
-            // Extract user from payload
-            // Destructure known fields and spread the rest to preserve custom fields like 'type'
-            const { sub, id, email, username, roles, permissions, user: nestedUser, iat, exp, ...rest } = payload;
-            
-            const user: User = {
-                id: sub || id,
-                email,
-                username,
-                roles,
-                permissions,
-                ...nestedUser,  // Spread nested user object if exists
-                ...rest         // Spread remaining custom fields (e.g., type)
-            };
-
-            return user;
-        } catch (error) {
-            return null;
-        }
-    }
-
-    /**
-     * Generate JWT token for user
-     */
-    async generateToken(user: User, config: JWTConfig): Promise<string> {
-        const payload: any = {
-            sub: user.id,
-            email: user.email,
-            username: user.username,
-            roles: user.roles,
-            permissions: user.permissions,
-            iat: Math.floor(Date.now() / 1000)
-        };
-
-        // Add expiration
-        if (config.expiresIn) {
-            const expiresIn = typeof config.expiresIn === 'string'
-                ? this.parseExpiration(config.expiresIn)
-                : config.expiresIn;
-            payload.exp = payload.iat + expiresIn;
-        }
-
-        return this.encodeToken(payload, config.secret);
-    }
-
-    /**
-     * Refresh JWT token (placeholder for future implementation)
-     */
-    async refreshToken(token: string, config: JWTConfig): Promise<string | null> {
-        if (!config.refresh?.enabled) {
-            return null;
-        }
-
-        try {
-            const payload = this.decodeToken(token, config.secret);
-
-            // Re-generate with new exp
-            const newPayload = {
-                ...payload,
-                iat: Math.floor(Date.now() / 1000)
-            };
-
-            if (config.refresh.expiresIn) {
-                const expiresIn = typeof config.refresh.expiresIn === 'string'
-                    ? this.parseExpiration(config.refresh.expiresIn)
-                    : config.refresh.expiresIn;
-                newPayload.exp = newPayload.iat + expiresIn;
-            }
-
-            return this.encodeToken(newPayload, config.secret);
-        } catch (error) {
-            return null;
-        }
-    }
-
-    /**
-     * Extract token from request
-     */
-    private extractToken(ctx: Context, config: JWTConfig): string | null {
-        // Use custom extractor if provided
-        if (config.getToken) {
-            return config.getToken(ctx);
-        }
-
-        // Try Authorization header
-        const authHeader = ctx.headers['authorization'] || ctx.headers['Authorization'];
-        if (authHeader) {
-            const headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;
-            if (headerValue?.startsWith('Bearer ')) {
-                return headerValue.substring(7);
-            }
-        }
-
-        // Try cookie
-        const cookieHeader = ctx.headers['cookie'] || ctx.headers['Cookie'];
-        if (cookieHeader) {
-            const cookieValue = Array.isArray(cookieHeader) ? cookieHeader[0] : cookieHeader;
-            if (cookieValue) {
-                const match = cookieValue.match(/token=([^;]+)/);
-                if (match) {
-                    return match[1];
-                }
-            }
-        }
-
-        return null;
-    }
-
-    /**
-     * Encode JWT token (simplified HMAC-SHA256)
-     */
-    private encodeToken(payload: any, secret: string): string {
-        const header = { alg: 'HS256', typ: 'JWT' };
-
-        const encodedHeader = this.base64UrlEncode(JSON.stringify(header));
-        const encodedPayload = this.base64UrlEncode(JSON.stringify(payload));
-
-        const signature = this.sign(`${encodedHeader}.${encodedPayload}`, secret);
-
-        return `${encodedHeader}.${encodedPayload}.${signature}`;
-    }
-
-    /**
-     * Decode and verify JWT token
-     */
-    private decodeToken(token: string, secret: string): any {
-        const parts = token.split('.');
-
-        if (parts.length !== 3) {
-            throw new Error('Invalid token format');
-        }
-
-        const [encodedHeader, encodedPayload, signature] = parts;
-
-        // Verify signature
-        const expectedSignature = this.sign(`${encodedHeader}.${encodedPayload}`, secret);
-        if (signature !== expectedSignature) {
-            throw new Error('Invalid signature');
-        }
-
-        // Decode payload
-        const payload = JSON.parse(this.base64UrlDecode(encodedPayload));
-
-        return payload;
-    }
-
-    /**
-     * Base64 URL encode
-     */
-    private base64UrlEncode(str: string): string {
-        const base64 = Buffer.from(str).toString('base64');
-        return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-    }
-
-    /**
-     * Base64 URL decode
-     */
-    private base64UrlDecode(str: string): string {
-        let base64 = str.replace(/-/g, '+').replace(/_/g, '/');
-
-        // Add padding
-        while (base64.length % 4) {
-            base64 += '=';
-        }
-
-        return Buffer.from(base64, 'base64').toString('utf-8');
-    }
-
-    /**
-     * Sign data with HMAC-SHA256
-     */
-    private sign(data: string, secret: string): string {
-        const crypto = require('crypto');
-        const hmac = crypto.createHmac('sha256', secret);
-        hmac.update(data);
-        const signature = hmac.digest('base64');
-        return signature.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-    }
-
-    /**
-     * Parse expiration string to seconds
-     */
-    private parseExpiration(exp: string): number {
-        const match = exp.match(/^(\d+)([smhd])$/);
-
-        if (!match) {
-            throw new Error('Invalid expiration format');
-        }
-
-        const value = parseInt(match[1]);
-        const unit = match[2];
-
-        const multipliers: Record<string, number> = {
-            s: 1,
-            m: 60,
-            h: 3600,
-            d: 86400
-        };
-
-        return value * multipliers[unit];
-    }
-}